Zone Protection for Multi-path TCP (MPTCP) Evasions
You can now enable or disable Multi-path TCP (MPTCP) globally or for each network zone. MPTCP is an extension of TCP that allows a client to simultaneously use multiple paths (instead of a single path) to connect with a destination host. MPTCP especially benefits mobile users, enabling them to maintain dual connections to both Wi-Fi and cellular networks as they move—this improves both the resilience and quality of the mobile connection and enhances the user experience. However, MPTCP can also potentially be leveraged by attackers as part of an evasion technique. This feature provides the flexibility to enable or disable MPTCP for all firewall traffic or for individual network zones, based on the visibility, performance, and security requirements for each network zone.
By default, MPTCP support is disabled on the firewall, and the firewall converts MPTCP connections to regular TCP connections. However, you can choose to enable MPTCP support globally or for certain network zones.
- For all firewall traffic.You can use the following CLI command to enable or disable MPTCP support for firewall traffic:
set deviceconfig setting tcp strip-mptcp-option [no | yes]
- Enter no to enable MPTCP support (the firewall does not remove the MPTCP option field from packets).
- (Default) Enter yes to convert MPTCP connections to TCP connections (the firewall removes the MPTCP option field from packets).
- For a network zone.Zone protection profiles allow you to set up security between network zones. Following the upgrade to PAN-OS 8.0, both existing and new zone protection profiles are set to support MPTCP by default.Take the following steps to enable or disable MPTCP support for a specific network zone:
- Select NetworkNetwork ProfilesZone Protection and modify or Add a zone protection profile.
- Select Packet Based Attack ProtectionTCP Drop.
- Select one of the Multipath TCP (MPTCP) Options to
apply to the network zone:
- no—Enable MPTCP support (do not strip the MPTCP option).
- yes—Disable MPTCP support (strip the MPTCP option). With this option configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
- global—Support MPTCP based on the global MPTCP setting For all firewall traffic.
- Click OK to save the profile.If MPTCP support is disabled globally, but you want to support MPTCP for certain network zones, make sure that you enable MPTCP for each zone through which traffic traverses.
TCP Drop To instruct the firewall what to do with certain TCP packets it receives in the zone, specify the following settings. Zone Protection Profile ...
Networking Features New Networking Features Description Tunnel Content Inspection The firewall can now inspect the traffic content of cleartext tunnel protocols: Generic Routing Encapsulation (GRE) ...
Networking Features Tunnel Content Inspection Multiprotocol BGP Zone Protection for Multi-path TCP (MPTCP) Evasions Zone Protection for Non-IP Protocols on a Layer 2 VLAN or ...
Best Practices for Securing Your Network from Layer 4 and L...
Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions To monitor and protect your network from most Layer 4 and Layer ...
Zone Protection for SYN Data Payloads
Zone Protection for SYN Data Payloads You can now use a Zone Protection profile for Packet Based Attack Protection to drop TCP SYN and SYN-ACK ...
Configure Tunnel Content Inspection
Configure Tunnel Content Inspection Perform this task to configure tunnel content inspection for a tunnel protocol that you allow in a tunnel. Create a Security ...
Packet-Based Attack Protection
Packet-Based Attack Protection Packet-based attacks take many forms. Zone protection profiles check IP, TCP, ICMP, IPv6, and ICMPv6 packet header parameters and protect a zone ...
Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces
Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces In this use case, the firewall is in a Layer 2 VLAN divided ...
Content Inspection Changes
Content Inspection Changes PAN-OS® 8.0 has the following changes in default behavior for content inspection features: Feature Change TCP settings The defaults for the following ...